CRYPTOGRAPHIC PROPERTIES OF ADDITION MODULO 2n S. M. DEHNAVI∗, A. MAHMOODI RISHAKANI, M. R. MIRZAEE SHAMSABAD, HAMIDREZA MAIMANI, EINOLLAH PASHA Abstract. The operation of modular addition modulo a power of two is one of the most applied operations in symmetric cryptogra- phy. For example, modular addition is used in RC6, MARS and Twofish block ciphers and RC4, Bluetooth and Rabbit stream ci- phers. In this paper, we study statistical and algebraic properties of modular addition modulo a power of two. We obtain the probability distribution of modular addition carry bits along with conditional probability distribution of these carry bits. Using these probabil- ity distributions and Markovity of modular addition carry bits, we compute the joint probability distribution of arbitrary number of modular addition carry bits. Then, we examine algebraic properties of modular addition with a constant and obtain the number of terms as well as the algebraic degrees of the component Boolean functions of the output of modular addition with a constant. Finally, we present another formula for the ANF of component Boolean func- tions of modular addition modulo a power of two. This formula contains more information than representations which are presented in cryptographic literature, up to now. Keywords: Modular addition, Boolean function, Component Boolean function, Carry bit, Algebraic degree ∗ std−[email protected] 1 2 S. M. Dehnavi et al. 1. Introduction The operation of modular addition modulo a power of two is one of the most applied operations in symmetric cryptography. For instance, modular addition is used in RC6[8], MARS[4] and Twofish[9] block ci- phers and RC4[7], Bluetooth[1] and Rabbit[2] stream ciphers. In this paper, we investigate statistical and algebraic properties of modular addition modulo a power of two. Firstly, we obtain the probability distribution of modular addition carry bits and conditional probability distribution of these carry bits. Then, using these probability distri- butions and Markovity of modular addition carry bits, we compute the joint probability distribution of arbitrary number of modular addition carry bits. Algebraic properties of modular addition modulo a power of two is studied in [3]. We examine algebraic properties of modular addition with a constant and obtain the number of terms and algebraic degrees of the component Boolean functions of the output of modular addition with a constant. Finally, we present another formula for the ANF of component Boolean functions of modular addition modulo a power of two. This formula con- tains more information than previous representations which have been presented in cryptographic literature, up to now. Section 2 presents preliminary notations and definitions. In Section 3 we investigate the probability distribution of modular addition carry bits. Section 4 studies algebraic properties of modular addition with a constant and Section 5 is the conclusion. 2. Preliminaries In this paper, the number of elements (cardinal) of a finite set A is denoted by jAj. Hamming weight of a natural number or a binary vector x is denoted by w(x). For two numbers or binary vectors x; y, d(x; y) denotes their Hamming distance. The i-th bit of a natural number or a binary vector x is denoted by xi. The notation ^ is used for AND operation, o is used for cyclic right shift or rotation operation and ⊕ is used for XOR operation. n Let Z2n be the ring of integers modulo 2 . For each a 2 Z2n , the n unique integera ¯ 2 Z2n witha ¯ + a = 2 − 1 is called the complement of a. Cryptographic Properties of Addition 3 Let F2 be the field with two elements. There is a one-to-one correspon- Z n Fn dence between 2n , the ring of integers modulo 2 and 2 , Cartesian product of n copies of F2: Fn ! Z ' : 2 2n ; nX−1 i x = (xn−1; :::; x0) 7! '(x) = xi2 : i=0 ≺ Fn Now let be the partial order on 2 defined as x ≺ a , xi ≤ ai; 0 ≤ i < n: 2 Fn u un−1 u0 ≤ For x; u 2 , we define x = xn−1 :::x0 where xi and ui, 0 i < n, are the i-th components or bits of x and u, respectively. Fn ! F Every function f : 2 2 is called a Boolean function. Any Boolean function has a unique algebraic representation called its Algebraic Nor- mal Form or ANF[5]. In fact, M u f(x) = hux ; hu 2 F2: u2Z2n where, M hu = f(x): x≺u Algebraic degree of a Boolean function f is denoted by d(f) and is equal to the number of variables in the longest term in the ANF of f, or equivalently, it is equal to the greatest value of w(u) among all terms with hu =6 0. The number of terms in the ANF of the Boolean function f is denoted by n(f). Fm ! Fn Every function f : 2 2 with n > 1 is called a vectorial Boolean function or a Boolean map. Such a function can be represented as a vector of Boolean functions (fn−1; :::; f0), where each fi, 0 ≤ i < n, Fm ! F is a Boolean function fi : 2 2 and is called the i-th component Boolean function. Moreover, similar to the case of Boolean functions, Fm ! Fn any vectorial Boolean function f : 2 2 has a unique representation called its vectorial ANF. In fact, M u 2 Fn f(x) = hux ; hu 2 : u2Z2m 4 S. M. Dehnavi et al. 2 Fm Fm The inner product of two vectors a; b 2 in 2 is defined by mM−1 a:b = aibi; i=0 and the inner product of these vectors in the set of real numbers is defined by mX−1 a ◦ b = aibi: i=0 For any nonzero element a 2 Z2n , the greatest power of 2 that divides Fm ! a is denoted by p(a). We define p(0) := n. For two functions f; g : 2 Fn 2 , we define Pf;g as, jfx 2 Fmjf(x) = g(x)gj P = 2 : f;g 2m and Ef;g as, P P n−1 m x2Fm d(f(x); g(x)) jfx 2 F jf (x) = g (x)gj E = n − 2 = i=0 2 i i : f;g 2m 2m where fi's and gi's, 0 ≤ i < n, are the i-th component Boolean functions of f and g. 3. Probability Distribution of Carry Bits There is a well-known recursive formula for the carry bits of modular addition modulo a power of two: Define F2n ! Fn f : 2 2 ; z = f(x; y) = x + y (mod 2n): Then we have, zi = xi ⊕ yi ⊕ ci; 0 ≤ i < n; (3.1) c0 = 0; ci = xi−1yi−1 ⊕ ci−1(xi−1 ⊕ yi−1); 1 ≤ i < n: We use this formula in the proof of the following theorems. Theorem 3.1. Let x; y 2 Z2n . We have x + y = (x ⊕ y) + 2(x ^ y) (mod 2n): Cryptographic Properties of Addition 5 Proof. Suppose that z = x + y (mod 2n), a = x ⊕ y, b = 2(x ^ y) and c = a + b (mod 2n). From (3.1), we have zi = xi ⊕ yi ⊕ di; 0 ≤ i < n; d0 = 0; di = xi−1yi−1 ⊕ di−1(xi−1 ⊕ yi−1); 1 ≤ i < n: Also, b0 = 0; bi = xi−1yi−1; 1 ≤ i < n; ai = xi ⊕ yi; 0 ≤ i < n; and, ci = ai ⊕ bi ⊕ ei; 0 ≤ i < n; e0 = 0; ei = ai−1bi−1 ⊕ ei−1(ai−1 ⊕ bi−1); 1 ≤ i < n: At first we prove: (3.2) ei = di ⊕ xi−1yi−1; 1 ≤ i < n: We use induction on i. For i = 1, we have d1 = x0y0 ⊕ d0(x0 ⊕ y0) = x0y0; e1 = a0b0 ⊕ e0(a0 ⊕ b0) = a0b0 = 0: So, e1 = d1 ⊕ x0y0. Now assume that (3.2) is valid for i − 1. Then, ei ⊕ xi−1yi−1 = ai−1bi−1 ⊕ ei−1(ai−1 ⊕ bi−1) ⊕ xi−1yi−1 = (xi−1 ⊕ yi−1)xi−2yi−2 ⊕ (di−1 ⊕ xi−2yi−2)(xi−1 ⊕ yi−1 ⊕ xi−2yi−2) ⊕ xi−1yi−1 = (xi−1⊕yi−1)xi−2yi−2⊕di−1(xi−1⊕yi−1)⊕di−1xi−2yi−2⊕xi−2yi−2(xi−1⊕ yi−1) ⊕ xi−2yi−2 ⊕ xi−1yi−1 = (xi−1yi−1 ⊕ di−1(xi−1 ⊕ yi−1)) ⊕ di−1xi−2yi−2 ⊕ xi−2yi−2 = di ⊕ di−1xi−2yi−2 ⊕ xi−2yi−2 = di: The last equation is obtained by multiplying two sides of the equation di−1 = xi−2yi−2 ⊕ di−2(xi−2 ⊕ yi−2) by xi−2yi−2. In fact, we have di−1xi−2yi−2 = xi−2yi−2 ⊕ di−2xi−2yi−2 ⊕ di−2xi−2yi−2 = xi−2yi−2: This proves validity of (3.2). Now we are ready to prove c = z: c0 = a0 ⊕ b0 ⊕ e0 = a0 ⊕ b0 = x0 ⊕ y0 = x0 ⊕ y0 ⊕ d0 = z0; 6 S. M. Dehnavi et al. and for i > 0, ci = ai ⊕ bi ⊕ ei = (xi ⊕ yi) ⊕ xi−1yi−1 ⊕ di ⊕ xi−1yi−1 = xi ⊕ yi ⊕ di = zi: □ As a result of Theorem 3.1, we can find Pf;g, where f is the map of modular addition modulo 2n and g is the bitwise XOR map: for f and g to be equal, it suffices to have 2(x ^ y) = 0. By a simple combinatorial enumeration, we get ( ) − 3 n 1 (3.3) P = : f;g 4 In other words, (3.3) gives an approximation of modular addition with bitwise XOR. There is a well-known fact about the distribution of carry bits of modular addition: n Theorem 3.2. If x; y 2 Z2n and z = x + y (mod 2 ), then, 1 1 P (c = 0) = + ; 0 ≤ i < n: i 2 2i+1 Here, according to (3.1), ci, 0 ≤ i < n, is the i-th carry bit of modular addition.